Progress DataDirect for ODBC for PostgreSQL Wire Protocol Driver User's Guide Release 8.0.2

Generating TLS/SSL certificates using OpenSSL 3.5-compliant algorithms

Save PDF

Generating TLS/SSL certificates using OpenSSL 3.5-compliant algorithms

Save PDF

Last Updated: March 14, 2026
2 minute read

DataDirect Connectors
ODBC
PostgreSQL 8.0
Documentation

Generating TLS/SSL certificates using OpenSSL 3.5-compliant algorithms

For using the OpenSSL 3.5 providers (FIPS and default), the certificates for TLS/SSL encryption must be generated using the OpenSSL 3.5-compliant cryptographic algorithms.

There are multiple ways of generating these certificates. The following commands demonstrate one of them. You can use these commands to generate the certificates and add them to the truststore and keystore files.

Note: The openssl.exe file is required for running these commands. You can download it from the official OpenSSL website.

Note: OpenSSL 3.5.x enforces Security Level 2, which requires all RSA/DSA keys to be at least 2048 bits. To meet these security requirements, certificates must be updated to use RSA keys of 2048 bits or higher. Any certificates that still use 1024‑bit keys will be rejected during the SSL/TLS handshake.

For truststore.pfx, every CA certificate must use a 2048‑bit or larger public key.

For keystore.pfx, both the private key and the corresponding certificate must be 2048 bits or greater to comply with OpenSSL Security Level 2.

Truststore:

openssl.exe pkcs12 -in certificate_name -export -out truststore_filename -nokeys -keypbe cryptographic_algorithm -certpbe cryptographic_algorithm -password pass:truststore_password -nomac

where:

certificate_name: is the name of the certificate you are generating.
truststore_filename: is the name of the truststore file.
cryptographic_algorithm: is the cryptographic algorithm you are using to generate the certificate.
truststore_password: is the password required for accessing the truststore file.

Example:

openssl.exe pkcs12 -in nc-thunder-SHA256.cer -export -out truststorepw.pfx -nokeys -keypbe AES-256-CBC -certpbe AES-256-CBC -password pass:MyPassW0rd -nomac

Keystore:

openssl.exe pkcs12 -in certificate_name -inkey privatekey_file -export -out keystore_file -keypbe cryptographic_algorithm -certpbe cryptographic_algorithm -nomac

where:

certificate_name: is the name of the certificate you are generating.
privatekey_file: is the name of the file that contains the private key.
truststore_filename: is the name of the keystore file.
cryptographic_algorithm: is the cryptographic algorithm you are using to generate the certificate.

Example:

openssl.exe pkcs12 -in nc-thunder-SHA256.cer -inkey ./file.pem -export -out keystorepw.pfx -keypbe AES-256-CBC -certpbe AES-256-CBC -nomac

Note: If you are using the Windows certificate store for TLS/SSL encryption, import the certificates generated with the OpenSSL 3.5-compliant algorithms into the store.